Merge branch 'main' into session-stores

# Conflicts: # EXAMPLES.md # src/auth0-session/get-config.ts # src/edge.ts # src/helpers/testing.ts # src/index.ts
auth0 · Dec 9, 2022 · 6468115 · 6468115
2 parents 7a7e5d9 + c690370
commit 6468115
Show file tree

Hide file tree

Showing 144 changed files with 6,029 additions and 4,235 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,6 +1,6 @@
 version: 2.1
 orbs:
-  ship: auth0/ship@0.7.4
+  ship: auth0/ship@0.7.7
 jobs:
   build:
     docker:
@@ -28,7 +28,7 @@ jobs:
           name: browserstack
           command: |
             if [ -z "$CIRCLE_PR_NUMBER" ]; then
-              npx start-server-and-test 'start:kitchen-sink-local' http://127.0.0.1:3000 'browserstack-cypress run --build-name $CIRCLE_BRANCH'
+              npx start-server-and-test 'start:kitchen-sink-local' http://localhost:3000 'browserstack-cypress run --build-name $CIRCLE_BRANCH --no-wrap'
             fi
       - store_test_results:
           path: test-results
@@ -43,7 +43,6 @@ workflows:
           context:
             - browserstack-env
       - ship/node-publish:
-          publish-command: npm publish --tag beta
           requires:
             - build
           context:
@@ -52,4 +51,4 @@ workflows:
           filters:
             branches:
               only:
-                - vNext
+                - main
diff --git a/.gitignore b/.gitignore
@@ -26,6 +26,10 @@ cypress/screenshots
 cypress/videos
 cypress.env.json
 
+# Browserstack
+browserstack-cypress-report.*
+build_results.txt
+
 # Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
 .grunt
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,9 +1,81 @@
 # Change Log
 
+## [v2.0.1](https://github.com/auth0/nextjs-auth0/tree/v2.0.1) (2022-12-09)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v2.0.0...v2.0.1)
+
+**Fixed**
+- afterCallback return type fix [\#954](https://github.com/auth0/nextjs-auth0/pull/954) ([alexmalev](https://github.com/alexmalev))
+- fix/rerenders: useMemo to avoid unnecessary rerenders [\#945](https://github.com/auth0/nextjs-auth0/pull/945) ([stavros-liaskos](https://github.com/stavros-liaskos))
+
+## [v2.0.0](https://github.com/auth0/nextjs-auth0/tree/v2.0.0) (2022-12-01)
+
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v1.9.2...v2.0.0)
+
+**⚠️ BREAKING CHANGES**
+
+- Refactor session lifecycle [\#787](https://github.com/auth0/nextjs-auth0/pull/787) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Rearrange exports for RSC and add experimental RSC route to example [\#913](https://github.com/auth0/nextjs-auth0/pull/913) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Improved callback errors [\#835](https://github.com/auth0/nextjs-auth0/pull/835) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Prevent mixing named exports and own instances [\#825](https://github.com/auth0/nextjs-auth0/pull/825) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Allow to override the user prop in server-side rendered pages [\#800](https://github.com/auth0/nextjs-auth0/pull/800) ([Widcket](https://github.com/Widcket))
+- Return 204 from /api/auth/me when logged out [\#791](https://github.com/auth0/nextjs-auth0/pull/791) ([Widcket](https://github.com/Widcket))
+
+  **Added**
+
+- Next.js Middlware support [\#815](https://github.com/auth0/nextjs-auth0/pull/815) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Add testing utility for generating session cookies [\#816](https://github.com/auth0/nextjs-auth0/pull/816) ([Widcket](https://github.com/Widcket))
+- Add updateUser [\#855](https://github.com/auth0/nextjs-auth0/pull/855) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Add support for configuring the built-in handlers [\#826](https://github.com/auth0/nextjs-auth0/pull/826) ([Widcket](https://github.com/Widcket))
+- Add support for configuring the default handlers [\#840](https://github.com/auth0/nextjs-auth0/pull/840) ([Widcket](https://github.com/Widcket))
+- Add logout options [\#877](https://github.com/auth0/nextjs-auth0/pull/877) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- At error cause to AT error when it's from a failed grant [\#878](https://github.com/auth0/nextjs-auth0/pull/878) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Add option to not store ID Token in session [\#809](https://github.com/auth0/nextjs-auth0/pull/809) ([Widcket](https://github.com/Widcket))
+- Default error handler [\#823](https://github.com/auth0/nextjs-auth0/pull/823) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Allow response customization in afterCallback [\#838](https://github.com/auth0/nextjs-auth0/pull/838) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Improve API docs [\#796](https://github.com/auth0/nextjs-auth0/pull/796) ([Widcket](https://github.com/Widcket))
+- Improve errors [\#782](https://github.com/auth0/nextjs-auth0/pull/782) ([Widcket](https://github.com/Widcket))
+
+See [V2 Migration Guide](./V2_MIGRATION_GUIDE.md) for full details.
+
+## [v2.0.0-beta.4](https://github.com/auth0/nextjs-auth0/tree/v2.0.0-beta.4) (2022-11-18)
+
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v2.0.0-beta.3...v2.0.0-beta.4)
+
+**⚠️ BREAKING CHANGES**
+
+- Rearrange exports for RSC and add experimental RSC route to example [\#913](https://github.com/auth0/nextjs-auth0/pull/913) ([adamjmcgrath](https://github.com/adamjmcgrath))
+
+**Fixed**
+
+- WithMiddlewareAuthRequired should return 401 for /api routes [\#909](https://github.com/auth0/nextjs-auth0/pull/909) ([adamjmcgrath](https://github.com/adamjmcgrath))
+
+## [v2.0.0-beta.3](https://github.com/auth0/nextjs-auth0/tree/v2.0.0-beta.3) (2022-11-08)
+
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v2.0.0-beta.2...v2.0.0-beta.3)
+
+**Fixed**
+
+- Fix edge cookie support for Next < 13.0.1 [\#900](https://github.com/auth0/nextjs-auth0/pull/900) ([adamjmcgrath](https://github.com/adamjmcgrath))
+
+## [v2.0.0-beta.2](https://github.com/auth0/nextjs-auth0/tree/v2.0.0-beta.2) (2022-11-02)
+
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v2.0.0-beta.1...v2.0.0-beta.2)
+
+**Added**
+
+- At error cause to AT error when it's from a failed grant [\#878](https://github.com/auth0/nextjs-auth0/pull/878) ([adamjmcgrath](https://github.com/adamjmcgrath))
+- Add logout options [\#877](https://github.com/auth0/nextjs-auth0/pull/877) ([adamjmcgrath](https://github.com/adamjmcgrath))
+
+**Fixed**
+
+- Fix for new req.cookie interface [\#894](https://github.com/auth0/nextjs-auth0/pull/894) ([adamjmcgrath](https://github.com/adamjmcgrath))
+
 ## [v2.0.0-beta.1](https://github.com/auth0/nextjs-auth0/tree/v2.0.0-beta.1) (2022-10-21)
+
 [Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v2.0.0-beta.0...v2.0.0-beta.1)
 
 **Fixed**
+
 - status getter is not enumerable so needs to be added to NextResponse [\#875](https://github.com/auth0/nextjs-auth0/pull/875) ([adamjmcgrath](https://github.com/adamjmcgrath))
 
 ## [v2.0.0-beta.0](https://github.com/auth0/nextjs-auth0/tree/v2.0.0-beta.0) (2022-10-11)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -21,3 +21,21 @@ Please read [Auth0's contribution guidelines](https://github.com/auth0/open-sour
 - `npm run start:kitchen-sink`: Run the kitchen sink example
 - `npm run test:kitchen-sink`: Run the E2E tests (you will need to populate the `CYPRESS_USER_EMAIL` and `CYPRESS_USER_PASSWORD` env vars)
 - `npm run test:kitchen-sink:watch`: Run the E2E tests and watch for changes
+
+## Running examples against a mock openid provider
+
+Your env vars in `/examples/kitchen-sink-example/.env.local` should look like
+
+```bash
+AUTH0_SECRET=#ANY LONG RANDOM VALUE
+AUTH0_ISSUER_BASE_URL=http://localhost:3000/oidc
+AUTH0_BASE_URL=http://localhost:3000
+AUTH0_CLIENT_ID=testing
+AUTH0_CLIENT_SECRET=testing
+```
+
+Then run one of the commands:
+
+- `start:kitchen-sink-local`: "npm run dev:local --prefix=examples/kitchen-sink-example",
+- `test:kitchen-sink-local`: Run the E2E tests against a mock openid provider
+- `test:kitchen-sink-local:watch`: Run the E2E tests against a mock openid provider and watch for changes
diff --git a/EXAMPLES.md b/EXAMPLES.md
@@ -10,6 +10,7 @@
 - [Access an External API from an API Route](#access-an-external-api-from-an-api-route)
 - [Create your own instance of the SDK](#create-your-own-instance-of-the-sdk)
 - [Add a signup handler](#add-a-signup-handler)
+- [Use with Base Path and Internationalized Routing](#use-with-base-path-and-internationalized-routing)
 - [Use a custom session store](#use-a-custom-session-store)
 
 All examples can be seen running in the [Kitchen Sink example app](./examples/kitchen-sink-example).
@@ -41,7 +42,7 @@ Wrap your `pages/_app.jsx` component in the `UserProvider` component.
 ```jsx
 // pages/_app.jsx
 import React from 'react';
-import { UserProvider } from '@auth0/nextjs-auth0';
+import { UserProvider } from '@auth0/nextjs-auth0/client';
 
 export default function App({ Component, pageProps }) {
   // You can optionally pass the `user` prop from pages that require server-side
@@ -60,7 +61,7 @@ Check the user's authentication state and log them in or out from the front end
 
 ```jsx
 // pages/index.jsx
-import { useUser } from '@auth0/nextjs-auth0';
+import { useUser } from '@auth0/nextjs-auth0/client';
 
 export default () => {
   const { user, error, isLoading } = useUser();
@@ -168,7 +169,7 @@ Requests to `/pages/profile` without a valid session cookie will be redirected t
 
 ```jsx
 // pages/profile.js
-import { withPageAuthRequired } from '@auth0/nextjs-auth0';
+import { withPageAuthRequired } from '@auth0/nextjs-auth0/client';
 
 export default withPageAuthRequired(function Profile({ user }) {
   return <div>Hello {user.name}</div>;
@@ -186,7 +187,7 @@ Requests to `/pages/api/protected` without a valid session cookie will fail with
 import { withApiAuthRequired, getSession } from '@auth0/nextjs-auth0';
 
 export default withApiAuthRequired(async function myApiRoute(req, res) {
-  const { user } = getSession(req, res);
+  const { user } = await getSession(req, res);
   res.json({ protected: 'My Secret', id: user.sub });
 });
 ```
@@ -196,7 +197,7 @@ Then you can access your API from the frontend with a valid session cookie.
 ```jsx
 // pages/products
 import useSWR from 'swr';
-import { withPageAuthRequired } from '@auth0/nextjs-auth0';
+import { withPageAuthRequired } from '@auth0/nextjs-auth0/client';
 
 const fetcher = async (uri) => {
   const response = await fetch(uri);
@@ -222,7 +223,7 @@ To protect all your routes:
 
 ```js
 // middleware.js
-import { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/middleware';
+import { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/edge';
 
 export default withMiddlewareAuthRequired();
 ```
@@ -231,7 +232,7 @@ To protect specific routes:
 
 ```js
 // middleware.js
-import { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/middleware';
+import { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/edge';
 
 export default withMiddlewareAuthRequired();
 
@@ -246,7 +247,7 @@ To run custom middleware for authenticated users:
 
 ```js
 // middleware.js
-import { withMiddlewareAuthRequired, getSession } from '@auth0/nextjs-auth0/middleware';
+import { withMiddlewareAuthRequired, getSession } from '@auth0/nextjs-auth0/edge';
 
 export default withMiddlewareAuthRequired(async function middleware(req) {
   const res = NextResponse.next();
@@ -263,8 +264,8 @@ For using middleware with your own instance of the SDK:
 import {
   withMiddlewareAuthRequired,
   getSession,
-  initAuth0 // note the mw specific `initAuth0`
-} from '@auth0/nextjs-auth0/middleware';
+  initAuth0 // note the edge runtime specific `initAuth0`
+} from '@auth0/nextjs-auth0/edge';
 
 const auth0 = initAuth0({ ... });
 
@@ -419,6 +420,57 @@ Users can then sign up using the signup handler.
 <a href="/api/auth/signup">Sign up</a>
 ```
 
+## Use with Base Path and Internationalized Routing
+
+With Next.js you can deploy a Next.js application under a sub-path of a domain using [Base Path](https://nextjs.org/docs/api-reference/next.config.js/basepath) and serve internationalized (i18n) routes using [Internationalized Routing](https://nextjs.org/docs/advanced-features/i18n-routing).
+
+If you use these features the urls of your application will change and so the urls to the nextjs-auth0 routes will change. To accommodate this there are various places in the SDK that you can customise the url.
+
+For example if `basePath: '/foo'` you should prepend this to the `loginUrl` and `profileUrl` specified in your `Auth0Provider`
+
+```jsx
+// _app.jsx
+function App({ Component, pageProps }) {
+  return (
+    <UserProvider loginUrl="/foo/api/auth/login" profileUrl="/foo/api/auth/me">
+      <Component {...pageProps} />
+    </UserProvider>
+  );
+}
+```
+
+Also, any links to login or logout should include the `basePath`:
+
+```html
+<a href="/foo/api/auth/login">Login</a><br />
+<a href="/foo/api/auth/logout">Logout</a>
+```
+
+You should configure [baseUrl](https://auth0.github.io/nextjs-auth0/interfaces/config.baseconfig.html#baseurl) (or the `AUTH0_BASE_URL` environment variable) eg
+
+```shell
+# .env.local
+AUTH0_BASE_URL=http://localhost:3000/foo
+```
+
+For any pages that are protected with the Server Side [withPageAuthRequired](https://auth0.github.io/nextjs-auth0/modules/helpers_with_page_auth_required.html#withpageauthrequired) you should update the `returnTo` parameter depending on the `basePath` and `locale` if necessary.
+
+```js
+// ./pages/my-ssr-page.jsx
+export default MySsrPage = () => <></>;
+
+const getFullReturnTo = (ctx) => {
+  // TODO: implement getFullReturnTo based on the ctx.resolvedUrl, ctx.locale
+  // and your next.config.js's basePath and i18n settings.
+  return '/foo/en-US/my-ssr-page';
+};
+
+export const getServerSideProps = (ctx) => {
+  const returnTo = getFullReturnTo(ctx.req);
+  return withPageAuthRequired({ returnTo })(ctx);
+};
+```
+
 ## Use a custom session store
 
 You need to create your owm instance of the SDK in code, so you can pass an instance of your session store to the SDK's configuration.

diff --git a/FAQ.md b/FAQ.md
@@ -1,6 +1,7 @@
 # Frequently Asked Questions
 
 1. [Why do I get a `state mismatch` error when logging in from different tabs?](#1-why-do-i-get-a-state-mismatch-error-if-i-try-to-log-in-from-different-tabs)
+2. [How can I reduce the cookie size?](#2-how-can-i-reduce-the-cookie-size)
 
 ## 1. Why do I get a `state mismatch` error if I try to log in from different tabs?
 
@@ -13,3 +14,14 @@ For example:
 3. Complete login on Tab 1: SDK finds Tab 2 state on the cookies and returns error.
 
 **You should handle the error and prompt the user to log in again.** As they will have an active SSO session, they will not be asked to enter their credentials again and will be redirected back to your application.
+
+## 2. How can I reduce the cookie size?
+
+The SDK stores the session data in cookies. Since browsers reject cookies larger than 4 KB, the SDK breaks up lengthier sessions into multiple cookies. However, by default Node.js limits the header size to 16 KB (Node.js version <14 has a max size of 8kb).
+
+If the session cookies are pushing the header size over the limit, **you have two options**:
+
+- Use `-max-http-header-size` to increase Node's header size.
+- Remove unused data from the session cookies.
+
+For the latter, you can add an [afterCallback](https://auth0.github.io/nextjs-auth0/modules/handlers_callback.html#aftercallback) hook to remove unused claims from the user profile. Or set the [storeIDToken](https://auth0.github.io/nextjs-auth0/interfaces/config.sessionconfig.html#storeidtoken) config to `false`, if you do not require the ID Token.